Published: January 27 2009, 01:38 AM
by Zarestel Ferrer

The popular worldwide event Valentine’s Day is approaching, and surely the Win32/Waledac trojan will be visible again for this year’s celebrations. In fact, at the end of last week, Waledac’s affiliated e-card scam websites updated their content with a Valentine-theme.

As in our previous Waledac post, we used Malzilla to check the website’s source code. The screen capture below shows that, once again, the web page is one big image; and a single click from a tricked user commences the download of “love.exe”.

Currently, Waledac-related websites distribute trojan executables with the following filenames:

love.exe
onlyyou.exe
you.exe
youandme.exe
meandyou.exe

The trojan’s behavior isn’t as cuddly as the filenames, unfortunately. Once Win32/Waledac is running on a system, it is capable of using the compromised machine as a spam bot. We captured SMTP communication from an affected system sending spam emails:

Waledac also gathers information about the system, then sends the stolen data to its accomplice web servers. In addition, the trojan retrieves information used for its malicious activities, such as message bodies for the spam emails it creates, and email addresses to target.

CA detects these files as Win32/Waledac.G:

Please keep away from websites like the ones shown here, and keep your security software updated.

Happy Valentine’s Day in advance!

Share this post:  Email

Share